Monday, August 3, 2015

Integrating RSA 8.1 (SNMPv3 traps) with Splunk on CentoOS 6.6

While versions of RSA prior to 8.1 supported SNMP v2, version
8.1 only supports SNMP v3. To receive this data in Splunk, RSA needs to be
configured to send traps to Splunk. The SNMP traps are then written to a file
which is then read by Splunk . The assumption here is that if you are reading
this document you are running splunk on CentOS (any Linux may work just fine
with some tweaks) and using net-snmp. I’m using version 5.5.

Configuring The Basic SNMP v3 on RSA

Note for the RSA your AES and SHA values must have some level of complexity. That is numbers, letters and special characters, etc.

Configuring SNMP traps on the RSA

Configuring the SNMP v3 traps on CentOS

Stop the current snmptrapd service if it is currently
running“service snmptrapd stop”

Run tcpdump to ensure traffic is coming on port 162 from
your RSA Servers

tcpdump -nnvi any port 162

By focusing on only port 162, the assumption is you have
nothing else sending traps. If you do, you should consider using a tcpdump
filter such as:

tcpdump -nnvi any “host my_rsa_server and port 162”

Replace “my_rsa_server” with your own server IP

In another window run snmptrapd in debugging mode.

snmptrapd -On -Lsd -Lf snmp.log -p snmptrapd.pid -D -d –f

After a few packets have come in with the snmptrap from your rsa_server, switch back to the window running “snmptrapd” and kill the process with "CTRL+C"

-e 0xEngine_ID - value represents the engine which was obtained above from the “grep –I lcd” output. The value we will use is “11 22 33 44 55 66 77 88 99 29”. This engine id needs to be prepended with “0x” and the spaces should be closed. So our new engine id looks like “0x11223344556677889929”

snmpv3_sending_user – The user configured in the RSA basic config

authentication_protocol – either MD5 or SHA

authentication_password – Password specified on RSA

privacy_protocol – DES or AES

privacy_passphrase - Password specified on RSA

using the information above, our “/var/lib/net-snmp/snmptrapd.conf” will have the line below:

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis